---
title: "SeLinux & AppArmor & Firejail"
date: 2020-6-4
categories:
- linux
tags:
---

<div id="content">
<div id="table-of-contents">
<h2>Table of Contents</h2>
<div id="text-table-of-contents">
<ul>
<li><a href="#org1a41cac">AppArmor</a>
<ul>
<li><a href="#orgb5f9795">AppArmor and Mariadb</a></li>
</ul>
</li>
</ul>
</div>
</div>
<blockquote>
<p>
<a href="https://retro64xyz.gitlab.io/presentations/2018/10/16/firejail-and-apparmor/">https://retro64xyz.gitlab.io/presentations/2018/10/16/firejail-and-apparmor/</a>
</p>
</blockquote>
<div class="outline-2" id="outline-container-org1a41cac">
<h2 id="org1a41cac">AppArmor</h2>
<div class="outline-text-2" id="text-org1a41cac">
</div>
<div class="outline-3" id="outline-container-orgb5f9795">
<h3 id="orgb5f9795">AppArmor and Mariadb</h3>
<div class="outline-text-3" id="text-orgb5f9795">
<p>
最近从MySQL升级到Mariadb之后启动数据库报错，排查原因认识了这个。
</p>
<blockquote>
<p>
<a href="https://blogs.oracle.com/jsmyth/apparmor-and-mysql">https://blogs.oracle.com/jsmyth/apparmor-and-mysql</a>
<a href="https://askubuntu.com/questions/750604/why-does-mariadb-keep-dying-how-do-i-stop-it">https://askubuntu.com/questions/750604/why-does-mariadb-keep-dying-how-do-i-stop-it</a>
</p>
</blockquote>
<p>
下面是/etc/apparmor.d/usr.sbin.mysqld的内容，意思是apparmor对于MariaDB没有多大作用，因此写一个空文件禁用apparmor对MariaDB的限制。
</p>
<pre class="example">
# This file is intensionally empty to disable apparmor by default for newer
# versions of MariaDB, while providing seamless upgrade from older versions
# and from mysql, where apparmor is used.
#
# By default, we do not want to have any apparmor profile for the MariaDB
# server. It does not provide much useful functionality/security, and causes
# several problems for users who often are not even aware that apparmor
# exists and runs on their system.
#
# Users can modify and maintain their own profile, and in this case it will
# be used.
#
# When upgrading from previous version, users who modified the profile
# will be promptet to keep or discard it, while for default installs
# we will automatically disable the profile.
</pre>
<p>
通过命令 {% raw %} aa-status {% endraw %} 相看限制的文件的进程，如果mysqld处于限制状态下，需要解除限制：
{% raw %} ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/ {% endraw %}
然后重启系统（也有说通过 {% raw %} sudo service apparmor reload {% endraw %} 而不用重启的，但是似乎不起作用）
</p>
</div>
</div>
</div>
</div>
<div class="status" id="postamble">
<p class="date">Date: 2020-6-4</p>
<p class="author">Author: gdme1320</p>
<p class="validation"><a href="http://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
